An information disclosure flaw in the AliExpress online shopping site allowed someone signed into the marketplace to learn personal information about other customers.
The vulnerability allowed modifying the “mailingAddressId” parameter in order to access contact details of other users.
Hundreds of millions of users have AliExpress accounts
AliExpress is a wholesale marketplace that is part of the Chinese Alibaba Group. Launched in 2010, the online retailer is one of the most visited in Russia.
According to China Internet Watch, the transactions on AliExpress helped to almost double the international commerce retail business of Alibaba in Q3 of 2014, which reached a revenue of $68 / €55 million.
To get a more clear idea on the size of the business, the retailer announced sales of $9.3 / €7.532 billion on November 11, the day when China’s largest online shopping festival took place. Almost half of the transactions came from mobile devices and the amount of sales was more than twice than in the case of Black Friday, Alibaba’s e-commerce news division Alizila says on Twitter.
Hundreds of millions of users from all over the world have an AliExpress account, making the vulnerability critical.
Changing a simple value reveals data of other customers
Researcher Dan Amitay from Israel has found that when modifying the shipping address of an account a “mailingAddressId” value is available in the URL. By simply providing a different value for the parameter, the page would load the details of a different AliExpress user. This would include the name, country, city, address, and the telephone number of said user.
Fortunately, only shipping address details are available in this database which has been open to access without authorization; no financial data or email addresses were exposed.
The glitch was possible because the account would not be validated for accessing restricted data from other users.
As far as the risk is concerned, crooks could have created tools for gathering the information and then convert it into intelligible data that could be used for malicious purposes.
The phone number and the name alone are sufficient for scammers to try to run a scam on the victim.
After making the discovery, the researcher informed Alibaba of the glitch. It appears that at first the retailer did not initiate any action.
However, at the moment, the vulnerability has been eliminated and attempting to access data from other accounts is restricted; loading a page with a modified “mailingAddressId” parameter causes an error to pop up and inform that “your account isn’t authorized to view this page.”